Skip to content

test(transformer): guard the maxEntityCount entity-expansion cap (#239)#242

Merged
williamzujkowski merged 1 commit into
mainfrom
test/transformer-entity-cap-239
Jun 30, 2026
Merged

test(transformer): guard the maxEntityCount entity-expansion cap (#239)#242
williamzujkowski merged 1 commit into
mainfrom
test/transformer-entity-cap-239

Conversation

@williamzujkowski

Copy link
Copy Markdown
Collaborator

Summary

createUslmParser configures fast-xml-parser with processEntities: { maxEntityCount: 128 } to bound DTD internal-entity definitions (billion-laughs / entity-expansion DoS) on untrusted upstream XML — but that control had no test, so a future refactor of the parser options could silently raise or remove it.

Test

Adds entity-expansion.test.ts:

  • Bomb case: a DOCTYPE defining 130 entities (above the 128 cap) → asserts parseUslmXml returns err.
  • Sanity case: an ordinary <uscDoc> still parses (ok), so the cap doesn't reject legitimate input.

The payload is tiny (130 short definitions), so if the cap were ever removed the document would parse under fast-xml-parser's default (maxEntityCount: 1000) and the bomb test would fail — catching the regression with no OOM risk.

Verification

  • Test passes against current parser; full transformer suite green (77 tests).
  • Confirmed it's a real guard: transiently raising the cap to 100000 makes the bomb test fail; reverted.

Test-only change. Closes #239

createUslmParser sets processEntities.maxEntityCount=128 to bound DTD internal
entities (billion-laughs / entity-expansion DoS) on untrusted XML, but the
control had no test, so a refactor could silently raise or drop it. Add a test
that defines 130 entities (above the cap) and asserts parseUslmXml rejects it,
plus a sanity case that an ordinary document still parses. The payload is tiny,
so if the cap were removed the document would parse under fast-xml-parser's
default (1000) and this test would fail — catching the regression without OOM.

Verified the guard by transiently raising the cap to 100000 (test fails) and
reverting.

Closes #239

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@williamzujkowski williamzujkowski requested a review from a team as a code owner June 30, 2026 01:16
@williamzujkowski williamzujkowski merged commit f6673dc into main Jun 30, 2026
3 checks passed
@williamzujkowski williamzujkowski deleted the test/transformer-entity-cap-239 branch June 30, 2026 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

test(transformer): add regression test for maxEntityCount entity-expansion cap (billion-laughs)

1 participant